New CIS Controls Mapping to the NIST CSF in a Standardized Data Format
In August 2019, an updated report was released by the National Institute of Standards and Technology (NIST). NIST Interagency Report 8204 is a Cybersecurity Framework Online Informative References (OLIR) Submissions document that lays out steps for comparing multiple frameworks. The aim of this initiative is to clarify cybersecurity standards. The NIST OLIR effort is working to develop a mutually intelligible lexicon. Think of it as Rosetta Stone for cybersecurity guidelines. The NIST OLIR effort is meant to ease the development and structure of other cybersecurity frameworks to map to the NIST Cybersecurity Framework (CSF). It can conceptually be used to map any set of standards together. At its core, the OLIR format provides a standard way to compare two sets of best practices.
Laying the groundwork for mapping
CIS acted as an early adopter of the NIST OLIR specification by providing a mapping of the CIS Controls Version 7.1 to version 1.1 of the NIST CSF. NIST CSF provides a variety of references to other standards. The NIST OLIR specification allows the relationship between two separate elements to be described by authors in the Excel template provided by NIST. The specification also lays the foundation for automated control comparison.
Multiple mappings to cybersecurity standards
CIS provides mappings to multiple cybersecurity standards, such as NIST CSF and ISO 210071. Our CIS Controls team is in the process of creating mappings to NIST SP 800-171 and NIST SP 800-53 that are expected to be released in Q1 of 2020. CIS has begun to leverage the types of relationships described by the NIST OLIR specification within our mappings to other security best practices. These mappings are available on our website and in CIS WorkBench, a site for cybersecurity professionals to network and collaborate. Community members work together to develop and map security best practices.
Flexibility for the future
CIS views the NIST OLIR specification as another way to support users of the CIS Controls. Cybersecurity professionals who leverage the CIS Controls may have unique missions or be concurrently subject to multiple security frameworks. Accordingly, providing mappings to the CSF in this format helps to ensure that the CIS Controls continue to be flexible and easy to use. The NIST OLIR specification is another tool in the information security toolbelt to achieve that goal.